Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?

Question

A customer wants to create a  network setup where their vendor establishes a VPN to Amazon, and from Amazon establish two VPNs to each of their two on-premises sites. Both sites are using a 3rd-party vendor appliance, and the customer believes that the vendor is operating on AWS and has Virtual Private Gateways (VGW) set up on their side. Specifics from the customer:

- They have a vendor with whom they must establish a VPN connection from their building sites (two of them) 
 - Each of the two sites have 2 independent ISPs providing internet service to the building
 - They would like a network set up where their vendor establishes a VPN to Amazon, and from Amazon- establish two VPNs to each site for redundancy- when one link fails, the other should carry the traffic
 - Their vendor allows them to have 1 VPN connection for each site.

VK · Accepted Answer

Yes, you can use VPN Cloudhub if it is strictly what you have mentioned. See [Providing secure communication between sites using VPN CloudHub](https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html)  and [AWS VPN CloudHub](https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-vpn-cloudhub.html).

Or you can also use AWS Transit Gateway (TGW) + VPN(s), this will increase cost of TGW VPN attachments. This architecture gives more flexibility in terms of future need to connect to AWS VPCs.

Recommended approach is to go with TGW VPNs. It also has additional benefit of ECMP over VPN to get more VPN throughput whereas VPN Cloudhub is limited to 1.25Gbps throughput per VPN connection. [Site-to-Site VPN single and multiple connection examples](https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html#MultipleVPN) also cover both mentioned options.

Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?

Relevant content